The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Lack of Minimum Amount Check in `SmartVaultV3::mint`, `SmartVaultV3::burn`, and `SmartVaultV3::swap` Can Result in Loss of Fees

n0kto

Description

The absence of a minimum requirement check for _amount in SmartVaultV3::mint, SmartVaultV3::burn, and SmartVaultV3::swap allows a user to send a very small amount, effectively bypassing fees.

Impact

This could result in a loss of fees for the protocol. However, the likelihood of this scenario is low, given that an attacker would need to spend a significant amount of gas for multiple transactions, making it less impactful.

It's important to note that if any fees rate is decreased in the future, it could exacerbate the problem.

Proof of Concept

Foundry PoC

function testMintWeakAmountForNoFee() public {

vm.startPrank(vaultUser);

USDs.transfer(address(vault), 100e18);

// Loop to mint without fees

for (uint i; i < 20; i++) {

vault.mint(vaultUser, 18);

}

// Check the USDs balance of the manager

assertEq(EUROs.balanceOf(address(liquidationPoolManager)), 0);

vm.stopPrank();

}

function testBurnWeakAmountForNoFee() public {

vm.startPrank(vaultUser);

USDs.transfer(address(vault), 100e18);

vault.mint(vaultUser, 10e18);

// Loop to burn without fees

for (uint i; i < 20; i++) {

vault.burn(18);

}

// Check the USDs balance of the manager, removing minting fees

assertEq(EUROs.balanceOf(address(liquidationPoolManager)) - 5e16, 0);

vm.stopPrank();

}

Recommended Mitigation

Implement a minimum threshold check in SmartVaultV3::mint, SmartVaultV3::burn, and SmartVaultV3::swap. Example: require(_amount > 1e8).

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

mint-precision

0x27281m Auditor

over 1 year ago

0x27281m Auditor

over 1 year ago

hrishibhat Lead Judge

over 1 year ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

mint-precision

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.